From 6fbd381238e97e1d1f3358f0d6d65de78dcf9245 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 14 May 2024 15:27:10 +0200 Subject: [PATCH] Catch os.ModePerm permissions in os.WriteFile Signed-off-by: Cosmin Cojocar --- rules/fileperms.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/fileperms.go b/rules/fileperms.go index 5311f74c6c..eb1fa2eee9 100644 --- a/rules/fileperms.go +++ b/rules/fileperms.go @@ -61,7 +61,7 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err for _, pkg := range r.pkgs { if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched { modeArg := callexpr.Args[len(callexpr.Args)-1] - if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) { + if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } @@ -69,6 +69,18 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err return nil, nil } +// isOsPerm check if the provide ast node contains a os.PermMode symbol +func isOsPerm(n ast.Node) bool { + if node, ok := n.(*ast.SelectorExpr); ok { + if identX, ok := node.X.(*ast.Ident); ok { + if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" { + return true + } + } + } + return false +} + // NewWritePerms creates a rule to detect file Writes with bad permissions. func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o600)